Firewalls and Internet Security - Repelling the Wily Hacker
Author: William R. Cheswick and Steven M. BellovinPublisher: Addison-WesleyISBN: 0-201-63357-4Reviewed by Danny Yee
Cheswick and Bellovin have written the first book that deals specifically with the security of whole networks rather than of individual hosts. Based on their experience administering the Internet firewall at AT&T, as well as on existing papers and reports, Firewalls and Internet Security tells you how to connect a network to the Internet without exposing all your computers to nefarious attacks. It begins with an introduction to security issues and a review of TCP/IP protocols from the point of view of security, but the reader is assumed to have a good understanding of the TCP/IP, an understanding of basic security concepts and some knowledge of Unix.
The core of the book is a detailed look at how to set up and run a firewall. This begins by covering the mechanics of setting up a packet filter, application and circuit gateways, the uses and abuses of tunneling and the general limitations of firewalls. A long chapter then goes into some detail in describing the application level gateway setup at AT&T. Also contains a brief discussion of user authentication and a description of useful tools such as connection libraries, network monitors and logging programs. (They recommend doing a lot of logging.) Also discussed are counter-intelligence measures, decoys and lures, and how to use standard hacking tools to test your security yourself. The stress throughout is on keeping things simple, in traditional Unix style.
Cheswick and Bellovin then look at how things actually work in practice. Here they present a general typology of network attacks, an account of their encounter with the infamous 'Berferd' hacker in 1991, and some statistics on penetration attempts from their logs. I'm a bit unsure about some of the conclusions they draw from the latter (see below), but it's good to see some statistics being published.
To round things off there are chapters on legal issues (if you watch a hacker instead of kicking him off at once, are you responsible for any damage he does while using your system to connect elsewhere?) and cryptography. The appendix contains a list of free resources - software packages and information sources - available to those trying to maintain secure networks, a port by port analysis of TCP and UDP protocol weaknesses and some suggestions for vendors and manufacturers of networking hardware and software.
This is great stuff, and I have only one quibble. I feel Cheswick and Bellovin are a little too paranoid in places, not in their evaluation of possible threats or in the precautions they suggest, but in their evaluation of the intensity of hacking activity. So attempts to rlogin in to their gateway as root, while they may be “evil”, are almost certainly due to bored university undergraduates - I should think it's the last thing a competent hacker would try. (Of course competent hackers probably have more sense than to attack a hardened target like AT&T at all, let alone head on.) Attempts to log in as guest, demo or visitor are surely signs of cluelessness, and hardly deserve to be labelled “attacks” or “evil”. And a graph which is supposed to show that hackers are less active on weekends, to me suggests instead that most of their “penetration” attempts are from company employees or university students who don't even have net access on weekends. Using the term “hacker” instead of “cracker” for those up to no good is one thing; debasing the term to include everyone capable of typing “rlogin research.att.com -l root” is another. It's a far cry from that to being able to mount sequence number attacks on TCP connections.
Firewalls and Internet Security has no rival; while much of the information it provides is available elsewhere, no comparable summary exists. Anyone in charge of installing or administering an Internet firewall would be insane not to get a copy. And while some of it is irrelevant to smaller sites, much will be useful to anyone concerned with TCP/IP network security. That said, it should be pointed out again that this is not an introductory book on security; not only does it assume a solid knowledge of internet protocols, but it doesn't deal with anything except external network threats. Of course anyone with pretensions to being an Internet hacker will also want to read this book (if only to find out why they shouldn't try to crack AT&T :-) and it can be read just for enjoyment. As well as being extremely informative, Firewalls is also extremely entertaining, with the authors managing to inject some lightheartedness into their subject while still respecting its seriousness. I finished my copy within a day of receiving it.
Declaration of interest: I requested and received a review copy of Firewalls and Internet Security from Addison-Wesley, but have no stake, financial or otherwise, in its success.
Firewalls and Internet Security - Repelling the Wily Hacker, by William R. Cheswick and Steven M. Bellovin. ISBN 0-201-63357-4
Danny Yee firstname.lastname@example.org
This review and other reviews by Danny Yee are available by anonymous ftp from ftp.cs.su.oz.au in danny/book-reviews.
Comments on my reviews are always welcome. Criticism of any kind is particularly appreciated - anything from pointing out spelling mistakes to disagreement with the basic assumptions of the review.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Sony Settles in Linux Battle
- Libarchive Security Flaw Discovered
- Profiles and RC Files
- Maru OS Brings Debian to Your Phone
- Why Python?
- Snappy Moves to New Platforms
- Understanding Ceph and Its Place in the Market
- The Giant Zero, Part 0.x
- Git 2.9 Released
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide